College CTF: Reversing Challenge

First look at the Binary

I always like to perform some easy tests on the binary which can be a easy win or at least give insight to what’s going on inside without having to delve in deeper for now.

ltrace output

Taking apart the Binary

“Now its time to bust you open!” — Accelerator (A certain scientific accelerator)

IDA disassembler showing all the entry points
ASCII encoded strings
An outgoing reference to b64encode
The overly-confusing function
The strange b64 string is loaded in the rdx register
The base64decode function is called soon after the base64 string is sent as an argument
  1. flagfunk() is calling the decode function with the string as an argument.
  2. The decoded string is being returned to the flagfunk() function
  3. Some sort of operation is being done on the decoded string to generate a flag. So at this point, it seemed feasible to just call the flagfunk() function!

Dynamic Analysis!

The binary is a non stripped version so, we have two options: either analyze and recreate your own version of flagfunk() to generate the flag or we can simply run dynamic analysis and see the flag being generated! I chose the second option since it is easier!

break * flagfunk+675
All set!
The flag is already visible!
Flag!

flagfunk()

So, we got the flag noice! But what magic went in flagfunk() that an unreadable string got suddenly converted into a readable flag?

flagfunk analysis

Playing with input

It’s time to talk about the func() function. I realized that certain inputs can trigger the call to this function from main.

funny outputs

Conclusion

Interesting binary! It reminded me that sometimes things have an easy workaround too!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store